Hacker News new | comments | show | ask | jobs | submit login
Mailbox iOS app is a security fail (subhb.org)
98 points by subhb 1730 days ago | hide | past | web | favorite | 55 comments

“if anyone else can get hold of your phone, he can access to files of those apps where data is not protected.”

As always, if someone has physical access and unlimited time, no device or computer is safe.

Also, Mailbox.app only supports GMail. Security minded people are obviously not the target market.

If you get physical access you can also read all the mails in Apple's Mail.app, or any other app on the device. Maybe not using a tool, but you can easily read them in the app, forward them, and send fake e-mails using the account of the user.

(edited to make my point more clear :)

Not if the device is locked. The author talks about this in the post - a properly secured file is only decrypted when the device is unlocked (in which case the mail is readable by anyone with fingers, no need for fancy USB cables).

When the device is locked the file is encrypted and cannot be easily retrieved with a USB cable and a file explorer. An app that does not properly secure its files is readable even when the device is locked.

That's not entirely correct. If the app uses the correct APIs to inform the system that particular files need more protection, then those files receive more protection. The details are available to a free dev account on Apple's developer site. As long as the device remains locked, such files remain encrypted.

Whether users pick appropriate passwords is another matter entirely.

Or, you could just... open up Mail.app? and read the emails without a tool haha.

Yes, that's my point.

Are you sure about that? I would think that Mail.app used apprioriate file protection settings, in which case the file contents is encrypted with a key derived from the user's PIN/passcode

Well that's a non-issue, a locked iPhone will secure Mail.apps data it won't secure Mailbox because Mailbox hasn't told the phone to.

@Samuel_Michon I take issue with the crap you are spreading.

>if someone has physical access and unlimited time There is no such thing as unlimited resources.

If I had unlimited time I could crack every encrypted message on the planet.

Using DPAPI turns a 30 second hack into an online cracking job. The crypto processor in the iPhone can only check one password every ~80ms and you need the chip with you. An attacker cannot do an offline attack.

Does that mean that basic security should not be in a company's mind, especially when it comes to the kind of data emails can contain? Mailbox is BIG. We are not talking of an average app here!

Email is not secure. Email has never been secure. Nothing you send over email is secure. There's little authentication and no signing.

All this stuff can be kludged onto email, but the attitude should be "unless I've taken measures to add security this thing is not secure".

Sure, but that's also like saying "car accidents are inevitable, so let's not put on our seat belts".

A basic bit of security, especially one that doesn't put any more load on the user (to have to maintain or set up) is a pretty big no-brainer. Raising the bar for a successful hack is also worth doing when the cost is a single line of code and no effort on the user's part.

If we're using analogy it's more like telling bicycle riders to use anti-puncture tape. Sure, it'll reduce the chance of getting a puncture but does nothing when they go under a truck.

What's on offer here? 10 minutes extra tamper resistance? For a protocol which is inherently insecure?

What's on offer here is the ability to exclude a large class of attackers entirely - script kiddies with a commonly available file explorer tool.

Sure, if you're the CEO of some big company and a skilled attacker really wants at your email, this is only a stopgap - but this is also sufficient to stop less proficient attackers entirely. For most people this is all they need.

> "it's more like telling bicycle riders to use anti-puncture tape."

If anti-puncture tape has literally no downsides whatsoever to the bicycle rider's experience, and costs nothing, then yes. Why wouldn't you have it?

Actually a small class of attackers - script kiddies with a commonly available file explorer tool and physical access to your phone.

Email in may not be generally secure but it is still easier to plug a phone into a computer than to access someone's email account without knowing their credentials. 10 minutes could be the difference between someone copying your emails from your lost iPhone and said person being unable to copy anything because you remote wiped your phone.

“Does that mean that basic security should not be in a company's mind”

I wasn’t suggesting it shouldn’t be. My point is that the article’s headline is overly dramatic: Mailbox.app is not a complete security failure because of one hack that requires physical access. Given that Mailbox only supports GMail, I’d be more worried to put my email in Google’s hands than worrying over someone grabbing my phone out of mine.

“Mailbox is BIG. We are not talking of an average app here!”

Mailbox.app is a free app that has been downloaded a couple of million times, I wouldn’t call it “BIG” yet. It’s very new, it’s still on version 1, so it’s not expected to be perfect.

> Mailbox.app is not a complete security failure because of one hack that requires physical access

The problem is that we take mobile devices with us every place we go. So physical access is not difficult to obtain.

This really is a big deal primarily because the developers of Mailbox.app did not take steps to even obfuscate the stored data...which would deter all but the most determined of attackers.

You are confusing access to the computer itself with access to the data it contains.

Given physical access and "unlimited" time (i.e. no more than a million human lifetimes, say), then certainly an attacker can gain access to the device and make it do what he wants.

However, if the data on the device is securely encrypted, then physical access and (reasonable) time doesn't matter. He won't be able to get at the data.

The original article misses the whole point of the NSFileProtection API: the strongest level of protection, NSFileProtectionComplete, prevents access to files while the device is locked. The whole point of the API is to protect things until the user has authenticated. (It's quite possible Mailbox is already using this API, given the evidence presented.)

In other words, this is the expected behaviour when your phone is unlocked.

See: https://developer.apple.com/library/ios/documentation/Cocoa/...

I'm less concerned about physical access to the device, but more concerned about third-party services like Mailbox increasing the number of attack vectors on your inbox. Mailbox has total access to your email account. Now somebody can either attempt to hack Google's servers, or Mailbox's servers. It's enough to convince me not to sign-up for their service since email provides the gateway to virtually everything else.

This. Why is no one talking about this massive elephant in the room? Mailbox wants you to trust it (and its employees) with (reversibly-encrypted? I haven't used the app but I don't know how it could provide all its features without this) access to and storage of your Gmail account and all your emails?! I barely trust Google with that.

This article just helps compound the idea that that trust might be a little misplaced....

Mailbox was nice, but I dropped it after a week when your point occurred to me. As far as I could tell, the only reason it needed full access was for push notifications. There was no discussion at all of account security, and I just couldn't bring myself to trust them. There's no way one of the usual cutesy startup apologies would cut it here if they compromised my email.

I'm back to Sparrow now (which doesn't do push) and quite happy: Mail.app tells me I have a new message, then I process my emails in Sparrow.

An important fact is wrong: You actually need to unlock the device to access the data unless the iPhone and the computer were paired before.

You can retrieve data from the device with special equipment after opening the phone. This is beyond the typical "geek".

If you jailbreak the phone you can access all non protected data.

iOS Mail app uses DAPI correctly. For push mail when the phone is locked it will use a public key to encrypt the data.

I am unsure if even the Gmail app uses it correctly, I only tested the stock mail app.

If you have the an escrow key pair (ie. synced to iTunes) your are screwed. If should do a DFU mode restore to wipe the keybag completely.

> You can retrieve data from the device with special equipment after opening the phone. This is beyond the typical "geek".

Citation needed.

Most people with passcodes set auto lock after a few minutes. An attacker can pair a device left briefly unattended by just connecting it to their Mac in just a few seconds.

Then, even if the device is later locked, they can bulk copy unencrypted files using tools like iExplorer, and browse at their leisure.

It's funny how some business class apps store usernames and passwords in clear text in their app sandboxes.

This is correct @nezza. I should have verified this with my friend's iPhone first. But the original issue still remains the same which is the files are not protected!

They aren't protected if you go into the app and look at the files (probably turning data off first).

If you can unlock the phone, you've almost certainly already lost here.

There are so many things one can do if he/she has access to your entire mail folder or contacts (by copying it using iExplorer or similar forensic tools) Vs just browsing few emails. Talking about attachments, one can in this case get access to all your local attachments in another case probably he/she needs to forward those emails to an email id to access.

Don't have any data on this, but I know a bunch of not-so-tech-savy people that don't use lock codes. Their data's then as naked as a greek nude.

If the device is not locked, how about just launching the Mailbox app and browse the attachments via its fancy UI? :)

On any app that consists of sensitive information, one should probably implement passcode security on the application itself. Now this might annoy some users, but if you know you are going to use it for something special, you won't mind it!

So therefore, your article could have been titled "{Mailbox|GMail|iMail|all_other_mail_clients_ever} is a Security Fail!"?

Because as far as I am aware, few mail clients either support or (if they do) actively encourage an extra password layer, and your users do not want it. Given an average un-password-protected phone, you will be able to read their email even if they were using the iOS encrypted files framework, just by opening the app.

I apologize, but it appears that your headline is deliberate sensationalism. If you want to have a discussion about how we need to secure email apps in general, I'm interested. If you want to just pick the latest 'big thing' and take pot shots at it, nah.

@tmpajk How does it make Mailbox more secure. Let's talk about the scenario where you have access to an iPhone for few minutes. In one case, you can go through some contents, in another case you can copy all emails and contacts. My whole point is files or attachments on information on every app that has sensitive information should be protected. There are various ways to do it on iOS! One can use keychain to store some secret key and protect these files using that secret key.

The risk is that people assume their email is secure because the email storage on the iPhone is secure.

Where is the key kept then? One possibility, the user has to know it, at which point we're back to the fact that users dont seem to want a password for their email app (again, happy to see an interesting post on the generalities of email app security). The other approach is to store it somewhere on the phone, at which point connecting the phone to a computer as you describe is still an attack vector; you just need to find the key.

Of course, I am not highly versed in security, so if there's another option I'm interested to hear it.

One can keep a secret key anywhere other than Document or Library directory of such apps. One of the obvious place will be device keychain.

The very fact that so many apps (Facebook, Twitter, Mail etc) remain signed in while not in use prompted me to use a lock code (albeit with a 5 min grace period, a trade off for convenience). I can't see why anyone wouldn't want it enabled.

I think most devices paired with an ActiveSync (Exchange, GMail) account are required to use lock codes.

Having said the above, one can copy all the contacts and emails of someone in few seconds. This is different than just browsing an email on UI (one would need time for that). What if someone has got an access to an iDevice just for few seconds. Ohh sir, you dropped your phone. Here you go but thanks to iExplorer I have all your documents and contacts now! Is this an issue? Depends what you use your email for!

Ever tried doing it in "a few seconds"? It takes several minutes in fact.

I'd recommend "Hacking and Securing iOS Applications" by O'Reilly. It really explains well the security and permissions model on the phone.

The argument that 'once you've lost the phone you've lost the data anyway' isn't really fair. If a passcode is being used, data marked as being a security concern is protected with the passcode. A 4 digit code is trivial to brute force, yes, but the point is that it should be done anyway.

Using iExplorer to find files is a lot easier than loading a custom bootloader on to the phone, booting custom firmware, brute forcing the passcode and decrypting the files. If anything, the extra time will raise the chance that you can get to a computer and initiate a remote-wipe.

This is like telling someone you can access his ~/Documents/ and read the content of files within when he leaves his laptop unattended and logged in.

One need to handle security differently for mobile devices and for laptops. When it comes to the example I gave above in one case a person can read the contents of the files, in another case the same person can copy your entire content. Now if that's not something to worry about, what is!

That's not worrying at all. Considering you need the passcode of the device to do so. If they have the passcode, or there isn't one, then the attacker can just open the app and look without extracting the files. These aren't passwords stored in plaintext. This is plaintext stored in plaintext.

Mailbox.app is a security concern because it copies all of your Gmail to it's own cloud server, and delivers the email to the app from there. Sure, it's exposing your emails on the device. I'm more concerned about them exposing _everyone's_ emails when their cloud platform is exploited.

Can someone verify this with an iOS5 device. On iOS 6.1.3 this doesn't work anymore though. But someone just claimed this on the blog: "I ran a test using my iPhone 5 and a computer I’ve never synced with before. I didn’t need to unlock the phone before getting access to it I don’t believe. I did manage to browse all my mailbox files."

You don't need to sync your device to pair it. This someone may have connected his unlocked device to the computer, which is enough to pair the device. Once a device is paired, the file system can be browsed regardless of lock status.

I have not tested with a new 6.1.3 device yet, but if true, this would be a very serious security regression.

There is a secure store solution available from a company located in germany. They call it "Secure Incremental Store" - an enhancement for Core Data.

Interesting. But Apple provides protection API for Core Data as well as a part of their SDK.

Protection API is not enough -> jailbreak. And with device passcode disabled the door is open.

If you lose your phone is already game over. Here's a idea...if you have important data that you want to be secure.....DON"T KEEP IT ON YOUR PHONE.

How about that, huh ?

How about making it more secure! Won't it solve the problem? It's just not about Mailbox app it's about all the apps that should protect user's data. Should they care about their user's data or leave it up to the device to protect it?

No. Sorry but encryption doesn't really solve the problem. If you lose the device with valuable info on it, the info will be recovered even if it's encrypted.

Encryption absolutely solves the problem. Otherwise any kind of online security would be impossible.

You might need to use an actual strong password though and not the 4 digit passcode.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact